Cyble – Citrix Users At Risk: AresLoader Spreading Through Disguised GitLab Repo

Multiple Malware Families Leveraging AresLoader for Propagation

Malware loaders are programs or scripts that have been created to install and run different types of malware on a victim’s computer system. The main objective of a malware loader is to avoid detection and continue operating on the victim’s computer by downloading and executing additional malicious software. To achieve this, loaders may use tactics such as encrypting or obfuscating the malicious payload to make it more difficult for antivirus software to detect it.

Recently, Cyble Research and Intelligence Labs (CRIL) has observed a new loader called AresLoader that has been used to spread several types of malware families. AresLoader is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022. This loader is available on a Malware-as-a-Service (MaaS) model and is developed by the same Threat Actors (TA) who were responsible for the AiD Locker ransomware. The members of this group are also suspected of having connections to a Russian hacktivist group. The cost of AresLoader is USD 300 per month, including five builds.

The figure below displays the AresLoader post on a cybercrime forum.

Figure 1 Post on Cybercrime Forum
Figure 1 – Post on Cybercrime Forum

AresLoader operates through a series of stages, with the initial loader binary containing embedded code that is injected in subsequent stages. After analyzing several binaries of AresLoader, CRIL discovered that the loader code’s extraction and injection methods are inconsistent across every binary.

This highlights the TA’s efforts to avoid detection by frequently updating their infection techniques.

The loader has been observed to be used by multiple malware strains, as depicted in the figure below.

Figure 2 Spreading Different Malware
Figure 2 – Spreading Different Malware

According to the TA, the malware initiates the launch of a legitimate file before deploying a malicious payload. The TAs responsible for this loader offer access to a builder that can be utilized to create a loader executable. Additionally, several web panels have been identified in association with this loader.

The figure below displays the AresLoader web panel.

Figure 3 AresLoader Web Panel
Figure 3 – AresLoader Web Panel

Upon further investigation, CRIL discovered a GitLab repository located at hxxps[:]//gitlab.com/citrixchat-project/citrixproject/ distributing the AresLoader malware. This repository was masquerading as “citrixproject,” suggesting that the threat actor was specifically targeting Citrix users. Within this directory, the file labeled “AG.exe” was identified as AresLoader, which proceeded to download the LummaStealer and IcedID payloads.

The figure provided below illustrates the GitLab repository.

Figure 4 Disguised Citrix GitLab Repo
Figure 4 – Disguised Citrix GitLab Repo

Technical Analysis

The AresLoader executable (SHA:256 867c574602105903116dca0a8b826e474a555980a193524d1aa7f15aecbc9ae4) is a 32-bit binary compiled in C.  

The figure below shows the file details.

Figure 5 File Details
Figure 5 – File Details

Upon execution, the malware calls the CreateWindowEx() API with the class name “GLSample” and the window name “OpenGL Sample”. The window procedure function registered with this API does not contain any obvious malicious code in the callback function, leading us to suspect that this code may be intended to delay the analysis of the malware.

The figure below shows the code snippet of the CreateWindowEx() API.

Figure 6 Creating Hidden Window
Figure 6 – Creating Hidden Window

The next step for the malware is to try loading “sc.exe” using the CoLoadLibrary() function. In case this attempt fails, the functions within the if statement will be executed. These functions are meant to imitate the extraction of the following stage payload from the binary and then inject it into memory.

Nevertheless, these are fake functions and are just programmed to terminate the malware program.

The figure below shows the fake functions present in the malware.

Figure 7 Fake Functions
Figure 7 – Fake Functions

The malware now begins to enumerate the Process Environment Block (PEB) to gather information about the loaded modules. It does this by traversing the InMemoryOrderModuleList and accessing the third node in the list using Flink.

This allows the malware to retrieve the address of the _LIST_ENTRY structure for the “ntdll.dll” module for resolving APIs.

The figure below shows the GetNtDLL() function.

Figure 8 Enumerating PEB
Figure 8 – Enumerating PEB

Subsequently, the malware resolves APIs dynamically. This malware employs the API hashing technique to complicate detection and analysis. The targeted APIs belong to ntdll.dll and serve as a means for malware to perform malicious actions. The loader retrieves the address of the following API functions:

  • pLdrFindResource_U
  • pLdrAccessResource
  • pNtAllocateVirtualMemory
  • pNtQueueApcThread
  • pNtTestAlert

The figure below shows the GetNtDLL() and get_proc_address() functions.

Figure 9 Resolving APIs
Figure 9 – Resolving APIs

Next, the malware makes a call to the pLdrFindResource_U() function, which is used to locate a resource within the malware file. This function, on successful execution, returns a pointer to the resource data. This pointer is now passed to the pLdrAccessResource() function to retrieve the actual data of a resource located by the pLdrFindResource_U() function.

The figure below shows the calls made by the loader to fetch the resource data.

Figure 10 Accessing Resource Data
Figure 10 – Accessing Resource Data

Next, the malware uses the ZwAllocateVirtualMemory( ) function to reserve a memory area in the current process with read, write, and execute permissions.

The process for allocating memory space is demonstrated in the figure below.

Figure 11 Allocating Memory Space
Figure 11 – Allocating Memory Space

The next step in the process is to decrypt the resource data that was obtained earlier. This is achieved by using the key, which is obtained from the .rdata section. Once the memory is allocated, the decryption loop begins, and the decrypted PE file is stored in the newly allocated memory.

The figure below shows the decryption loop and the decrypted PE file.

Figure 12 Decrypts PE file
Figure 12 – Decrypts PE file

Subsequently, the malware makes a call to ZwQueueApcThread() and NtTestAlert() to inject code into its own process memory. The malware uses the ZwQueueApcThread() function to schedule an Asynchronous Procedure Calls (APCs) routine that executes the injected code. NtTestAlert() function is associated with the alerts mechanism and can trigger the execution of any outstanding APCs.

Figure 13 Executing Injected Code
Figure 13 – Executing Injected Code

AresLoader v3:

AresLoader can download and execute files. Initially, it creates a folder in the AppDataRoaming directory where the downloaded payloads are saved. The saved file is then executed using the CreateProcessA() function.

The method used for executing the downloaded files can be seen in the figure below.

Figure 14 Executing Malware Payloads
Figure 14 – Executing Malware Payloads

Prior to downloading the final payload, the Ares loader obtains the public IP address of the infected system by sending a request to https://ipinfo.io/ip utilizing the WinINet library.

Furthermore, it obtains additional information from the victim’s system and utilizes it to register the victim with the Command and Control (C&C) server via a POST request, as demonstrated below.

Figure 15 POST Request
Figure 15 – POST Request

Finally, AresLoader initiates an internet session using the InternetOpenA() function and sets the user agent string to “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.”. It then proceeds to make GET requests for downloading other malicious executables using the InternetOpenUrlA() function. Specifically, the malware makes GET requests to the following URLs:

  • hxxp[:]//193.233.134[.]57/manager/legit  —– Downloads a clean file
  • hxxp[:]//193.233.134[.]57/manager/payload —- Downloads LummaStealer
  • hxxp[:]//193.233.134[.]57/manager/hvnc —– Downloads IcedID

Conclusion

The AresLoader has been detected disseminating various types of malware, implying that several threat actors are utilizing it to propagate their malicious strains. To evade detection, this loader employs several defensive strategies. Our observation of different executables utilizing different approaches to inject the loader code suggests that these TAs continually enhance their infection tactics.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  • Avoid downloading files from unknown websites. 
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity. 
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems. 

MITRE ATT&CK® Techniques 

Tactic  Technique ID  Technique Name 
Initial Access  T1566  Phishing 
Execution  T1204  User Execution 
Defense Evasion  T1027
T1055
T1027.007
Obfuscated Files or Information
Process Injection
Dynamic API Resolution
Discovery T1016 System Network Configuration Discovery
Command and Control T1071 
T1105
Application Layer Protocol 
Ingress Tool Transfer

Indicator Of Compromise (IOCs) 

Indicators  Indicator  
Type 
Description 
df79ba45a9c6bf187697fe7f3e2dd7bc
f064b3d1779692c1928869e6b682d0682e0d987d
867c574602105903116dca0a8b826e474a555980a193524d1aa7f15aecbc9ae4  
MD5
SHA1
Sha256 
AresLoader 
hxxp[:]//193.233.134.57/manager/hvnc hxxp[:]//193.233.134.57/register hxxp[:]//193.233.134.57/manager/payload hxxp[:]//193.233.134.57/manager/legit URL  C&C 
45.80.69.193 193.168.49.8 193.233.134.57 IP  C&C 
67029b569ad726b1b87cc62760472cc8
0d43665fd941533cdd3edbf71fd3f975bcd53967
169c70fc77814578aa83b3a666eb674c49e60ac6964b040de9b1e51c5966bf56
MD5 
SHA1 
Sha256 
AresLoader 
hxxps[:]//gitlab.com/citrixchat-project/citrixproject/” URL Malicious GitLab repo
ffc047f271e2db11338917aecb1f890b
92d00383cc03d165bb4a2e55fdcedc0dd184450a
69fd40c6c06cb719050c36234ba5117d275643d8aff72596167e9c2fee608cfb
MD5
SHA1
Sha256 
AresLoader

Source: https://blog.cyble.com/2023/04/28/citrix-users-at-risk-aresloader-spreading-through-disguised-gitlab-repo/